Questions tagged [asvs]

Application Security Verification Standard (ASVS) is an OWASP project to provide guidance to security control developers and a basis for specifying security requirements.

10 questions
4
votes
1 answer

How relevant is OWASP ASVS?

How relevant is the OWASP application security verification standard? Have you had it as a requirement made by business? What other application security standards relevant to business are there? I did try to search for them, but only OWASP ASVS…
Štef FoReal
  • 143
  • 4
4
votes
2 answers

Why does OWASP ASVS require HTTP responses to have a content header specifying a character set?

The OWASP Application Security Verification Standard (ASVS), Version 3, states in clause V11.2: Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8, ISO 8859-1). What would be the threat of…
countermode
  • 684
  • 1
  • 7
  • 22
2
votes
1 answer

How to interpret "Verify the use of a secure software development lifecycle that addresses security in all stages of development"?

I've been looking at OWASP Application Security Verification Standard 4.0.2 for a while now, and I'm trying to understand all the checkpoints in detail. I am not sure what exactly the author of a particular point meant. Therefore, I have a request…
soro
  • 23
  • 4
1
vote
1 answer

Do we need threat modelling after following ASVS standard?

We are planning to lay out guidelines in our organisation for everyone to follow a secure software development lifecycle. As part of this, we plan to adopt the security knowledge framework (SKF) that provides a checklist based on the ASVS standard…
1
vote
2 answers

Passwords verification against a set of breached passwords

NIST and OWASP ASVS recommends checking passwords against those obtained from previous data breaches. The list of such passwords can be downloaded from "Have I Been Pwned" (https://haveibeenpwned.com/Passwords), but there are more than 300 million…
user187205
  • 1,163
  • 3
  • 15
  • 24
1
vote
2 answers

OWASP ASVS asking for client-side validation?

While perusing ASVS 3.0.1 I came across requirement V5.18: Verify that client side validation is used as a second line of defense, in addition to server side validation. Umm... is client-side validation not said to have no security benefit…
countermode
  • 684
  • 1
  • 7
  • 22
0
votes
1 answer

What parameters can be used to configure context-sensitive authorisation?

I recognise that context-sensitive authorisation to applications is a good security control however I can currently only think of location being an example of a sensitive context. I don't consider time being a sensitive context so are there any…
ellefc
  • 499
  • 2
  • 6
  • 14
0
votes
2 answers

How should I interpret, "access controls on the presentation layer are enforced on the server side?

This question is with reference to the OWASP standard (Access control rules on the presentation layer are enforced on the server side - OWASP ASVS 3.0 - 4.9) I'm trying to deeply understand what it means so that I can communicate it to a…
ellefc
  • 499
  • 2
  • 6
  • 14
0
votes
1 answer

What is an "appropriate" request size limit for a web service?

Point 18.4 of the OWASP ASVS says Verify that all input is limited to an appropriate size limit. Currently i have an input limit of 50MB on all web services. (And it seems like this is the default in Microsoft Windows.) I imagine that such a high…
floworbit
  • 316
  • 1
  • 11
0
votes
0 answers

Recognized complement to OWASP's ASVS requirements

The OWASP ASVS focuses on web-application verification. It is free and recognised worldwide as a good reference to build upon, or simply reuse. It is useful to use it when outsourcing web development. However OWASP does not provide similar…
niilzon
  • 1,587
  • 2
  • 10
  • 17